https://www.ory.sh/ logo
Join Slack
Powered by
or how to get Kratos to start using the phone numb...
# talk-kratos
d
or how to get Kratos to start using the phone number for 2FA?
b
d
Yep, seen the docs, and I’m not worried about the SMS sending as courier seems configured correctly. But how does a user enable 2FA using their phone number (eg through a settings flow)? Or does Kratos just start doing 2FA by mobile if the user has a verified phone number on their account?
I feel like there’s a gap in the docs where I can configure Courier to send SMS, I can add a phone number as a verifiable address to an identity, but what is the part in the middle that gets Kratos to use a phone number for 2FA?
b
Can you post your identity schema?
The user does not need to enable 2FA in the settings, instead you (the application implementor) request a 2fa flow, that uses the trait: https://www.ory.sh/docs/kratos/mfa/mfa-via-sms#integration Especially this:
To start a new MFA flow, for an already existing session, create a new login flow with the 
aal
parameter set to 
aal2
. You’ll also need to specify which trait to use for delivering the code to the user. Make sure, this trait exists in the identity schema and set the 
via
parameter to its identifier. For example, if you have a trait called 
phone_number
, you’d set 
via
to 
phone_number
.
d
Thanks for your patience Jonas. I guess I’m just a bit confused because 2FA via sms seems to work in fundamentally different ways to Kratos’s other 2FA methods, like authenticator app. When using an authenticator app, if you set whoami ’s `reuired_aal`to highest available:
Copy code
whoami:
    required_aal: highest_available
The user will not be able to get their session info at 
aal1
, and Kratos will redirect the client to an 
aal2
login flow where they can enter the code from their authenticator app. In addition, the 
available_aal
column in Kratos’s identities table changes to 
aal2
when the user has configured an authenticator app (not that this is visible anywhere from the frontend API. However, if the user has added a verified phone number to their account, and Kratos is configured to allow 2FA via sms, Kratos behaves completely differently. whoami will return the session info just fine at 
aal1
. Yes, you can create an 
aal2
login flow on the client, but Kratos doesn’t seem to care and does not consider SMS 2FA to mean that the higher aal is available. This is also the case with settings flows set to 
highest_available
- I would expect that Kratos would require aal2 if the user has configured their phone number correctly, but it does not. It means that you can do things like change a password, get recovery codes, etc. without the higher AAL. What’s the point in going through an SMS 2FA flow if Kratos doesn’t seem to care about it?
17 Views
Open in Slack
PreviousNext
Powered by